The setup script for Altera's Quartus II IDE uses "/bin/env" to find "sh" on Linux. I mean WTF... env isn't located in/bin on most systems. env isn't even given a standard location by POSIX or LSB, whereas sh is. Granted, they assume some ancient version of RH, but it works fine on Debian.
Since linux has now fucked up the directory structure,/bin/env is the same as/usr/bin/env now. Hey, look on the plus side. It's easier to find executables now.
Now/bin,/usr/bin,/sbin, and/usr/sbin are now all symlinked to one place, and/lib,/lib64,/usr/lib, and/usr/lib64 are all symlinked to one place. At least that's the way it is on arch, and I have no doubt all distros will be going that route.
At least the AC is now down mod'ed to -1. So mission accomplished. I think some people confuse well-deserved straightforward insults in connection with a factual refutation to a twit... "flamebait", but plenty of others plainly do not.
why do people keep picking on Bash when many other software programs have had these problems
Those programs are not shells. Now show me bugs in BSD's POSIX sh, or dash, or mksh, or zsh that approach anywhere near the unacceptable gross severity of Shellshock in bash. If you can do that, we might lay off flaying bash. Until then, it is bloody obvious why we keep "picking on" bash.
Only for a distro which is designed and implemented STUPIDLY. Granted a lot of major distros do this. RHEL for example. And yes, it is stupid and lazy. It is stupid because bash does not perfectly implement POSIX sh behavior. Even when $0 is/bin/sh, the reduced emulation is flawed. It still allows extensions which expose bugs. And it is lazy because they allowed crap scripts to creep into the system so that they decided it was too hard to weed them out. A crap script is one whose shebang line says "#!/bin/sh" instead of "#!/bin/bash, which claims that all it needs is POSIX sh, but which still relies on bash extensions, because the writer never tested it on a real sh.
Debian and ubuntu link/bin/sh to dash instead of bash. The BSDs do not link/bin/sh to anything; they start with a proper POSIX sh. Dash, and BSD sh, are much better implementations of POSIX sh behavior than bash is. They doesn't have the buggy extensions and are much lighter weight. The best interactive shell is not the best, or even necessarily an acceptable, scripting shell. You can install bash in debian or ubuntu or BSD and it doesn't hook into and take over/bin/sh.
Let's not forget that the multiple bugs which have recently come to light are all in bash. I have seen nothing similar exposed in BSD sh, dash, mksh, csh/tcsh, or zsh. Looks to me like the coding of bash was crappy going back at least 25 years.
Er, if you have a wireless LAN, you might as well have router to an always-on internet connection, and say a Beaglebone Black for smarts to collect the data and forward it. That way you don't need any of these modules at all.
If you're hooking up things in your house, use something like the ESP8266. It does WPA2/bgn, has a range of a 100 feet with just the chip antenna, max transmit for less than 250 mA, sleeps 10mA, and only costs 5 USD single module pricing.
I was going to ridicule any piece of junk with that collossal level of sleep current. Then I looked up the specs and found it's a more palatable 10 microamps power-down and 1 mW standby. Still higher than it should be IMO, but at least usable.
Example: a PIC18 can easily handle measuring remote temperature (outdoors, cellar, hot and cold water pipes, unused rooms, etc) using a Dallas 18B20 sensor, sleeping at under 1 microamp and waking once a minute for a few milliseconds. That would make possible powering with a lithium coin cell for a year. You wouldn't want the WiFi interface raising that requirement from one coin cell to 10 or 100 or 1000 coin cells.
Ahem. Apple is legally compelled to issue source code for whatever version of bash they use. It's called the GPL. For the rest of their core operating system (but not the proprietary GUI), yes, Apple voluntarily has released source code. It's mostly derived from BSD licensed stuff, and nothing compelled them to do so.
It is entirely possible to run bash on Windows, too. I'll let you figure out how. And the provider of that bash is compelled to make their source code available too.
Rename/bin/bash to/bin/bash.bak then create a link [cyberciti.biz] from/bin/dash to/bin/bash..
And get ready for a whole lot of scripts failing. Scripts that start with #!/bin/sh but are written dependant on bash features will fail. Scripts that start with #!/bin/bash on the other hand will just fail to start. You'll have a busted-ass system, but at least it won't be attacked.
Now if you were running debian or ubuntu/bin/sh would already be a link to/bin/dash, and there wouldn't be any screwed up scripts because the design of the file layout was made by people who weren't brain dead.
You mod him up, and people who are smart will mod him down.
Try to understand, this is not about executing bash scripts as cgi, and it's not about sanitizing input. Period. It is about httpd setting environment variables from unsanitized user input when calling ANY cgi. And if perl or python or php then invoke bash by, for example, executing a call to system(), the environment gets passed to bash, and bash can be made to execute something bad just by having the environment set badly, and you can be pwned.
The "With many eyes all bugs are shallow" myth is busted again.
I mean, isn't the fact that we're talking about this vulnerability at all thanks to the open-source nature of the software, and that someone has spotted the problem?
It would be pleasant to think so, but isn't it just as possible that the discovery of the exploit was thanks to eyes on the source code? I may be naive, but it's difficult for me to believe that someone thought up the attack vector from just thinking about shells in general.
I would have guessed that $75K figure would be higher.
75 grand is just the salary; not the accounting cost of employing one engineer. The latter is probably at least twice that figure. There are a lot of costs not paid to the employee directly: overhead/administration, employer matching 401k funding (used to be direct pension funding, but that's pretty much dead these days), employer share of "payroll" tax (Social Security), unemployment insurance, usually-to-almost-always health insurance, etc.
Also, the 75 grand is not what the employee actually gets in his pocket. Lots of stuff is taken out: employee 401k contribution, employee share of "payroll" tax, federal income tax withholding, usually state income tax withholding, sometimes municipal income tax withholding, etc.
The rotten level of engineer compensation in the U.S. is a sin when you compare it to the sky high pay and benefits showered on parasitic leeches such as government bureaucrats, politicians, judges and the like. It is also pretty pathetic compared to privileged lawyers and doctors, as well as other people who actually do genuine work, such as unionized laborers and (OK, this is stretching a bit) teachers.
Are you absolutely sure about that? In what context? Do you doubt that background radiation is instrumental in mutations that lie behind evolution? Have you wondered what life forms would exist on earth if there were no evolution?
For everything there is a level above which there is a danger or certain lethality, and below which it is often beneficial or even necessary. Too much [water, salt, potassium, calcium,...] and you are a dead duck. Too little, and you are a dead duck. In the case of radiation, a reasonable amount almost certainly leads to benefits to humanity, while still harming some portion of individuals.
I know, but I'm afraid it's no use pointing out facts. I'd like to think anti-nuke religious zealots could be reasoned with, and maybe a small percentage of them can, and possibly it's worthwhile trying, but for the most part they will just cotinue frothing. It's not as bad as the berserk murdering kind of religious zealoutry, but that doesn't mean the worst elements should get to dictate humanity's policy.
I have very serious reservations about nuclear power implementations, but it's about real problems, not boogeymen. As disappointed as I am with design shortcuts, safety levels which I feel must be made far better, whistling a happy tune instead of dealing with waste, and lackadaisical oversight, I still am in awe of the potential, and I believe that science and engineering are equal to the task if we will just unleash them in the commitment-equivalent of the manhattan project.
Let's face it. Human failings exist. We have a choice stemming from that axiom. We can either give up daring to advance, or we can learn from our mistakes, ensure that we never repeat the same ones, and expand our efforts to foresee new ones and avoid them. Specifically, both Chernobyl and Fukushima were perfectly foreseeable with the knowledge and insight that existed beforehand.
Ah yes, I see you are familiar with the elementary principle of tax progressivity.
News flash. You can make consumption taxes just as progressive as you wish. The most trivially obvious measure you can take toward this end is to exempt clothing and food expenses. Most state sales taxes do at least some of this. Clothing and food you buy simply ring up as untaxed on the register.
You can go well beyond this, too. Issue rebates, as inversely progressive as you wish. You pay a small amount of sales tax during the year? You get a lot of it back. Maybe all of it. Perhaps, more than you paid. You pay a gigantic amount of sales tax during the year (because you buy a lot of art and yachts)? You get only a tiny part of it rebated. I suppose if you by nature absolutely demand punishing success, you could cut off all rebates after some rich pricks spend, say $10 million in a year. It would make a vanishingly small difference in the overall redistribution picture, but it could be up for debate.
Housing expenses can be addressed with a fixed dollar amount lump rebate. If you rent a studio, the rebate might cover the complete rent, or even more. If you buy 12 mansions and permanently rent a penthouse on central park for the times you are in town, you get the same $10,000 rebate as the guy who only spends $8,000 on his housing.
You say rebates won't cut it because you have to pay now, and only get your rebates later? Fine. You can issue prebates. Look up "Fair Tax". This has all been long since figured out.
Be careful what you wish for. Balancing the budget is trivially easy, but you may not find the result pleasing. Balancing the budget can just as easily be done by raising revenue as by reducing expenditures.
Ordinary People can only do so much to raise their revenue. They can cover big capital expenses Now, like house or car, by taking on debt in the form of a mortgage or loan, or by buying on credit. This of course adds additional expense Later in the form of debt service, and most people understand this.
The state, on the other hand, has apparently unlimited ability to raise their revenue. They "just" raise taxes to whatever level is necessary. The devil is in the details. If you raise corporate taxes, the corporations must either raise the prices of their goods and services, or cut expenses in the form of wages. Either way there is blowback. Raising prices beyond a certain optimum lowers unit sales too much, and therefore lowers corporate revenue, leading to lower profits, which means a lower tax base. Lowering wages tends to impoverish the public, which means ye friendly state loses personal income taxes. Finally, if you raise personal taxes, you directly impoverish the public, which tends to make them turn against those in power.
On the other hand, if the state doesn't balance its budget, it can borrow money. This has its obvious downside, with which all are very familiar.
So whether the budget is balanced or not, the consequence of overspending is pretty much the same. Impoverishment. You can play games favoring the present at the expense of the future, but you cannot avoid the consequence entirely.
Now, if you really think the state is going to balance its budget by controlling spending rather than increasing revenue, I have to ask, what's it like in paradise? Not much like the world I live in, I suppose.
Slashdot Mirror
Thank you. Very clear thinking.
Since linux has now fucked up the directory structure, /bin/env is the same as /usr/bin/env now. Hey, look on the plus side. It's easier to find executables now.
Now /bin, /usr/bin, /sbin, and /usr/sbin are now all symlinked to one place, and /lib, /lib64, /usr/lib, and /usr/lib64 are all symlinked to one place. At least that's the way it is on arch, and I have no doubt all distros will be going that route.
Unless of course the malefactors know this and stick BASH_FUNC_ in front of their exploit strings.
At least the AC is now down mod'ed to -1. So mission accomplished. I think some people confuse well-deserved straightforward insults in connection with a factual refutation to a twit ... "flamebait", but plenty of others plainly do not.
Those programs are not shells. Now show me bugs in BSD's POSIX sh, or dash, or mksh, or zsh that approach anywhere near the unacceptable gross severity of Shellshock in bash. If you can do that, we might lay off flaying bash. Until then, it is bloody obvious why we keep "picking on" bash.
Only for a distro which is designed and implemented STUPIDLY. Granted a lot of major distros do this. RHEL for example. And yes, it is stupid and lazy. It is stupid because bash does not perfectly implement POSIX sh behavior. Even when $0 is /bin/sh, the reduced emulation is flawed. It still allows extensions which expose bugs. And it is lazy because they allowed crap scripts to creep into the system so that they decided it was too hard to weed them out. A crap script is one whose shebang line says "#!/bin/sh" instead of "#!/bin/bash, which claims that all it needs is POSIX sh, but which still relies on bash extensions, because the writer never tested it on a real sh.
Debian and ubuntu link /bin/sh to dash instead of bash. The BSDs do not link /bin/sh to anything; they start with a proper POSIX sh. Dash, and BSD sh, are much better implementations of POSIX sh behavior than bash is. They doesn't have the buggy extensions and are much lighter weight. The best interactive shell is not the best, or even necessarily an acceptable, scripting shell. You can install bash in debian or ubuntu or BSD and it doesn't hook into and take over /bin/sh.
Let's not forget that the multiple bugs which have recently come to light are all in bash. I have seen nothing similar exposed in BSD sh, dash, mksh, csh/tcsh, or zsh. Looks to me like the coding of bash was crappy going back at least 25 years.
Er, if you have a wireless LAN, you might as well have router to an always-on internet connection, and say a Beaglebone Black for smarts to collect the data and forward it. That way you don't need any of these modules at all.
I was going to ridicule any piece of junk with that collossal level of sleep current. Then I looked up the specs and found it's a more palatable 10 microamps power-down and 1 mW standby. Still higher than it should be IMO, but at least usable.
Example: a PIC18 can easily handle measuring remote temperature (outdoors, cellar, hot and cold water pipes, unused rooms, etc) using a Dallas 18B20 sensor, sleeping at under 1 microamp and waking once a minute for a few milliseconds. That would make possible powering with a lithium coin cell for a year. You wouldn't want the WiFi interface raising that requirement from one coin cell to 10 or 100 or 1000 coin cells.
Mod parent informative and informative.
OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.
Now YOU shut the fuck up, you clueless knuckle dragging cowardly fool,
Ahem. Apple is legally compelled to issue source code for whatever version of bash they use. It's called the GPL. For the rest of their core operating system (but not the proprietary GUI), yes, Apple voluntarily has released source code. It's mostly derived from BSD licensed stuff, and nothing compelled them to do so.
It is entirely possible to run bash on Windows, too. I'll let you figure out how. And the provider of that bash is compelled to make their source code available too.
He has no answer to that, and neither do the micro softies and apple corps who mod'ed him up.
And get ready for a whole lot of scripts failing. Scripts that start with #!/bin/sh but are written dependant on bash features will fail. Scripts that start with #!/bin/bash on the other hand will just fail to start. You'll have a busted-ass system, but at least it won't be attacked.
Now if you were running debian or ubuntu /bin/sh would already be a link to /bin/dash, and there wouldn't be any screwed up scripts because the design of the file layout was made by people who weren't brain dead.
Agreed, but that's not "using bash as the cgi handler". Not explicitly.
You're right; not only should you be unconvinced that he is right; he in fact misses the whole point and is completely mistaken.
You mod him up, and people who are smart will mod him down.
Try to understand, this is not about executing bash scripts as cgi, and it's not about sanitizing input. Period. It is about httpd setting environment variables from unsanitized user input when calling ANY cgi. And if perl or python or php then invoke bash by, for example, executing a call to system(), the environment gets passed to bash, and bash can be made to execute something bad just by having the environment set badly, and you can be pwned.
It took me a bit to "get it" myself.
It would be pleasant to think so, but isn't it just as possible that the discovery of the exploit was thanks to eyes on the source code? I may be naive, but it's difficult for me to believe that someone thought up the attack vector from just thinking about shells in general.
75 grand is just the salary; not the accounting cost of employing one engineer. The latter is probably at least twice that figure. There are a lot of costs not paid to the employee directly: overhead/administration, employer matching 401k funding (used to be direct pension funding, but that's pretty much dead these days), employer share of "payroll" tax (Social Security), unemployment insurance, usually-to-almost-always health insurance, etc.
Also, the 75 grand is not what the employee actually gets in his pocket. Lots of stuff is taken out: employee 401k contribution, employee share of "payroll" tax, federal income tax withholding, usually state income tax withholding, sometimes municipal income tax withholding, etc.
The rotten level of engineer compensation in the U.S. is a sin when you compare it to the sky high pay and benefits showered on parasitic leeches such as government bureaucrats, politicians, judges and the like. It is also pretty pathetic compared to privileged lawyers and doctors, as well as other people who actually do genuine work, such as unionized laborers and (OK, this is stretching a bit) teachers.
Are you absolutely sure about that? In what context? Do you doubt that background radiation is instrumental in mutations that lie behind evolution? Have you wondered what life forms would exist on earth if there were no evolution?
For everything there is a level above which there is a danger or certain lethality, and below which it is often beneficial or even necessary. Too much [water, salt, potassium, calcium, ...] and you are a dead duck. Too little, and you are a dead duck. In the case of radiation, a reasonable amount almost certainly leads to benefits to humanity, while still harming some portion of individuals.
You haven't been mod'ed "funny" yet? Or is invoking a fictional horror story your serious argument?
I know, but I'm afraid it's no use pointing out facts. I'd like to think anti-nuke religious zealots could be reasoned with, and maybe a small percentage of them can, and possibly it's worthwhile trying, but for the most part they will just cotinue frothing. It's not as bad as the berserk murdering kind of religious zealoutry, but that doesn't mean the worst elements should get to dictate humanity's policy.
I have very serious reservations about nuclear power implementations, but it's about real problems, not boogeymen. As disappointed as I am with design shortcuts, safety levels which I feel must be made far better, whistling a happy tune instead of dealing with waste, and lackadaisical oversight, I still am in awe of the potential, and I believe that science and engineering are equal to the task if we will just unleash them in the commitment-equivalent of the manhattan project.
Let's face it. Human failings exist. We have a choice stemming from that axiom. We can either give up daring to advance, or we can learn from our mistakes, ensure that we never repeat the same ones, and expand our efforts to foresee new ones and avoid them. Specifically, both Chernobyl and Fukushima were perfectly foreseeable with the knowledge and insight that existed beforehand.
All right jackass, you've been shown to be full of shit and that's the best you can do, fine.
Ah yes, I see you are familiar with the elementary principle of tax progressivity.
News flash. You can make consumption taxes just as progressive as you wish. The most trivially obvious measure you can take toward this end is to exempt clothing and food expenses. Most state sales taxes do at least some of this. Clothing and food you buy simply ring up as untaxed on the register.
You can go well beyond this, too. Issue rebates, as inversely progressive as you wish. You pay a small amount of sales tax during the year? You get a lot of it back. Maybe all of it. Perhaps, more than you paid. You pay a gigantic amount of sales tax during the year (because you buy a lot of art and yachts)? You get only a tiny part of it rebated. I suppose if you by nature absolutely demand punishing success, you could cut off all rebates after some rich pricks spend, say $10 million in a year. It would make a vanishingly small difference in the overall redistribution picture, but it could be up for debate.
Housing expenses can be addressed with a fixed dollar amount lump rebate. If you rent a studio, the rebate might cover the complete rent, or even more. If you buy 12 mansions and permanently rent a penthouse on central park for the times you are in town, you get the same $10,000 rebate as the guy who only spends $8,000 on his housing.
You say rebates won't cut it because you have to pay now, and only get your rebates later? Fine. You can issue prebates. Look up "Fair Tax". This has all been long since figured out.
Right off the bat, I see sub rosa barter as the form of evading consumption taxes.
Be careful what you wish for. Balancing the budget is trivially easy, but you may not find the result pleasing. Balancing the budget can just as easily be done by raising revenue as by reducing expenditures.
Ordinary People can only do so much to raise their revenue. They can cover big capital expenses Now, like house or car, by taking on debt in the form of a mortgage or loan, or by buying on credit. This of course adds additional expense Later in the form of debt service, and most people understand this.
The state, on the other hand, has apparently unlimited ability to raise their revenue. They "just" raise taxes to whatever level is necessary. The devil is in the details. If you raise corporate taxes, the corporations must either raise the prices of their goods and services, or cut expenses in the form of wages. Either way there is blowback. Raising prices beyond a certain optimum lowers unit sales too much, and therefore lowers corporate revenue, leading to lower profits, which means a lower tax base. Lowering wages tends to impoverish the public, which means ye friendly state loses personal income taxes. Finally, if you raise personal taxes, you directly impoverish the public, which tends to make them turn against those in power.
On the other hand, if the state doesn't balance its budget, it can borrow money. This has its obvious downside, with which all are very familiar.
So whether the budget is balanced or not, the consequence of overspending is pretty much the same. Impoverishment. You can play games favoring the present at the expense of the future, but you cannot avoid the consequence entirely.
Now, if you really think the state is going to balance its budget by controlling spending rather than increasing revenue, I have to ask, what's it like in paradise? Not much like the world I live in, I suppose.